hi,

Thanks for your answer but I don't know how doing that.

I have 3 files, one is .crt, another is .ca and the last is .prv.

All  these are from the UC520.

This certificate is self-signed.

Which file should I export to the Cisco Digital Media Manager?

And how can I do that?

Or should I have to import the CA from the DMM to the Uc520?

I'm really lost

Hi Pablo,

you do not need to do anything on the DMM.

On the router, you need to import the DMM server certificate OR the CA certificate of the CA that the DMM received its cert from.

Off the top of my head, you would need something like:

conf t

crypto pki trustpoint DMMCA

  enrollment terminal

  exit

exit

crypto pki authenticate DMMCA

OR

crypto pki import ...

to import the server cert.

(check the options, don't know them by heart)

Sorry for the condensed response - hope to have more time later or next week if you need more help.

H

maybe this helps:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftmancrt.html

Hi, thanks for your advise.

I'm trying to copy the certificate via cut and paste, but I'm getting a

% Error in saving certificate: status = FAIL

I dont know if I'm doing this right.

I open the https page from the DMM with Mozilla Firefox, and in options I export the certificate in PEM format.

I get a file which if I open with notepad is like

-----BEGIN CERTIFICATE-----

MIICOzCCAaSgAwIBAgIET7EwyzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJV

.............

KoZIhvcNAQEFBQADgYEAdk7n+tJi0igrTD2o7RD9ty8MLTyHN4uk8km+7DbpEy0g

mxLY0UZswYvbj15kPdd8QbeGEdDR6SXOYePsfIRJzL0mqMON4oiUhsqAK5y2yC6R

nqy4wWQ2fGVEYAeLpb1jGKdZWpuag/CO90NMHcMiobfBh+4eTqm7kRPTEyma6V0=

-----END CERTIFICATE-----

If I try to authenticate the trustpoint, I get that error.

how can I export the certificate from the DMM?

I think that this file is not the right file.

and then, do I have to make some changes in

webvpn gateway SDM_WEBVPN_GATEWAY_1?

Should I choose the new trustpoint?

I understand that the old trustpoint is for the outside connection, no for the LAN connection.

Dont worry about me, answer when you can but I really need to fix this.

Thank you so much

It sounds like you're doing the right things, the cert format looks good, so not sure why it is saying "

Error in saving certificate:". You may need to use "crypto pki import ..." instead of authenticate.

Would you mind posting the entire cert in PEM format (or send it to me privately - click on my name, then on my profile page click "send private message") ?

Can't promise a response in the next few days though.

H

Hi Pablo,

Thanks for sending me the cert. I tried importing it and see the same problem, but when I examine the cert with openssl it seems fine - but then I noticed that it has a very long validity, until the year 2112; I think this is causing the problem.

I found this bug on ASA:

CSCsu27196    ASA should support certificates with dates after Jan 19 2038

but I believe IOS has the same problem, although I cannot immediately find a bug ID for it.

Could you try issuing a new self-signed cert on the DMM server, with a shorter validity, e.g. until 2037 ?

hth

Herbert

Hi Herbert

I have read your suggest

you will need to create a trustpoint and import either:

- the server certificate (in this case you need 1 trustpoint per server)

Is that mean we should ask the server owner to get the valid certificate for insert into cisco router 1941?

I have no idea how to get the certificate for gmail if we prefer to access this webmail service through ssl vpn.

Moreover, how can we use that cert in case the valid cert is already insert into the router, becuase the router is already using this

"#crypto pki trustpoint TP-self-signed-3430371784" for client

which command i should use that for the valid certificate?